Handling Multiple Table Inserts and Placeholders

Questions and Answers

What is the main reason for using PHP as an interface to MySQL?

To log in to MySQL using the command line

To retrieve data from a MySQL database

To create a SQL database

To format the results of SQL queries in a form visible in a web page (correct)

What is the correct sequence of steps to use MySQL with PHP?

Connect, select database, prepare query, perform query, retrieve results (correct)

Connect, prepare query, perform query, retrieve results, disconnect

Connect, prepare query, retrieve results, perform query, disconnect

Disconnect, prepare query, perform query, retrieve results, connect

What is the purpose of creating a login file in PHP?

To store database-specific features

To format query results

To store login and password details (correct)

To access the MySQL database directly

What does PDO stand for in the context of PHP and MySQL?

PHP Data Objects

What statement is used to include a login file in PHP?

require_once

What can a hacker do to exploit an HTML form?

Use the View Source feature to extract the form

Why should you never trust variables fetched from the $_GET or $_POST arrays?

Because they may contain malicious input

What is the purpose of using the quote function in MySQL?

To escape all necessary characters in a string

What is the purpose of the stripslashes function in PHP?

To remove unwanted slashes from a string

What is the purpose of the htmlentities function in PHP?

To remove HTML from a string

Study Notes

Handling Multiple Table Inserts

• When processing a purchase, insert a new customer into the Customers table and refer to the newly created CustId when inserting a purchase into the Purchases table
• Using AUTO_INCREMENT, insert data in multiple tables, retaining the insert ID returned for storing in the related table

Placeholders and Security

• Placeholders are positions within prepared statements in which data is transferred directly to the database, preventing user-submitted data from being interpreted as MySQL statements
• Using placeholders is the best and recommended way to interact with MySQL, providing security against hacking and SQL injection

Practical MySQL Techniques

• Creating and dropping tables
• Inserting, updating, and deleting data
• Protecting the database and website from malicious users

Creating a Table

• Creating a database to hold details about different types of cats
• Columns for family, name, age, and a unique identifier (id)

Common MySQL Operations

• Dropping a table (be careful, as it's easy to do and can be dangerous)
• Adding data to a table
• Retrieving rows from a table
• Updating data in a table
• Deleting data from a table

Using AUTO_INCREMENT

• When using AUTO_INCREMENT, the inserted ID is unknown before a row is inserted
• Use the mysql_insert_id function to retrieve the inserted ID

Accessing MySQL Using PHP

• Using PHP as an interface to MySQL to format query results for a web page
• The process involves connecting to MySQL, selecting a database, preparing a query string, performing the query, retrieving results, and outputting them to a web page

Form Handling

• Building forms involves creating a form for users to enter data, sending the data to a web server, interpreting the data, and taking action, which may involve a database.
• A form must have at least the following elements: an opening and closing form tag, a submission type specifying either a GET or POST method, one or more input fields, and the destination URL to which the form data is to be submitted.

Building Forms

• A simple form can be created using PHP, with the form data being submitted to a PHP script.
• Default values can be offered to users in a web form, making it easier for them to fill out the form.

Input Types

• HTML forms allow for a wide range of input types, including text boxes, text areas, checkboxes, radio buttons, and more.

Sanitizing Input

• Handling user data is a security minefield, and it's essential to treat all user data with caution.
• PHP arrays $_GET and $_POST are used to pass form data to PHP.
• To sanitize user input, it's necessary to strip HTML tags, remove unwanted slashes, and escape quotes to prevent malicious input.
• The strip_tags function can be used to remove HTML tags from a string.
• The htmlentities function can be used to convert HTML into a format that can be displayed but not interpreted as HTML by a browser.
• A PHP function like quote can be used to escape necessary characters and add quotes to the start and end of a string to prevent SQL injection.

Submitting Form Data

• Form data can be submitted using either the POST or GET method.
• To submit a group of selections from a web form using a single field name, an array of values can be used.
• To submit a form field without displaying it in the browser, a hidden field can be used.
• The label HTML tag is used to encapsulate a form element and supporting text or graphics, making the entire unit selectable with a mouse-click.

Description

Test your understanding of inserting data into multiple tables and using placeholders to ensure security. Learn how to use AUTO_INCREMENT and prevent user-submitted data from being misused.